[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"

To: <radiusext@ops.ietf.org>
Subject: RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Wed, 15 Oct 2008 13:43:45 -0400
In-reply-to:
Organization: Elbrys Networks, Inc.
References: <Pine.LNX.4.64.0808131904270.24114@internaut.com> <AC1CFD94F59A264488DC2BEC3E890DE5065592E5@xmb-sjc-225.amer.cisco.com> <D4371E585AF84CD5BDF3EC1F35DABB59@xpsuperdvd2> <AC1CFD94F59A264488DC2BEC3E890DE5065CB35C@xmb-sjc-225.amer.cisco.com> <7215774374A94535A323C71758E60AA7@xpsuperdvd2> <C67C2CBFCD0D4F5BB3A374D82FC51662@xpsuperdvd2> <AC1CFD94F59A264488DC2BEC3E890DE506B78DD9@xmb-sjc-225.amer.cisco.com>

Following up...

> It comes down to the RADIUS client advertising what it can
> support, by means of hint attributes included in the 
> Access-Request packet, and the RADIUS server picking at most
> one of the options. 

So, it is apparent that use of encrypted packet payloads (either the entire
PDU or per attribute) cannot succeed until the cipher-suite is selected and
the client and server find that they share the required keys.  Without
getting into *design* of a solution, it seems feasible to me that the client
could "discover" the existence a cipher-suite and keys shared in common with
the server, without exposing any sensitive information using "classic"
RADIUS exchanges, by simply using a device such as the Call-Check mechanism,
to complete an Access-Request / Access-Accept (or Access-Reject) sequence
without disclosing any end user credentials.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>

References:
- REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: Bernard Aboba <aboba@internaut.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
  - From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>

Prev by Date: RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Next by Date: RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Previous by thread: RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Next by thread: RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Index(es):
- Date
- Thread